Nuclear cyber security debate hots up

US regulations 'premature', says supplier

Two companies that make digital systems for nuclear power plants have come out against a government proposal that would attach cyber security standards to plant safety systems.

The 15-page proposal, introduced last December by the US Nuclear Regulatory Commission (NRC), would rewrite the commission's "Criteria for Use of Computers in Safety Systems of Nuclear Power Plants." The current version, written in 1996, is three pages long and makes no mention of security.

The plan expands existing reliability requirements for digital safety systems, and infuses security standards into every stage of a system's lifecycle, from drawing board to retirement. Last month the NRC extended a public comment period on the proposal until 14 March to give plant operators and vendors more time to respond.

So far, industry reaction has been less than glowing. Capri Technology, a small California firm that builds specialized systems and software for nuclear plants, calls the regulations "premature", and says the proposal could deter plant operators from installing new digital safety systems entirely.

"The NRC tries to promote the use of digital technology in the nuclear power industry on the one hand, but then over-prescribes what is needed when a digital safety system is proposed," wrote company president William Petrick, in comments filed with the commission. An industry veteran, Petrick advocates withdrawing the proposal until the NRC and industry experts can agree on a more effective cyber security strategy.

Framatone, a French company that develops and builds plants from the ground up, had a similar response. The company argued in its comments that the NRC is painting with too broad a brush - for example, by applying the same security standards to software running on a general purpose computer, and to firmware embedded in a chip.

Cyber security "is sufficiently important and complex to merit a more considered set of guidance," Framatone argued. "A significant joint effort should be undertaken to publish comprehensive cyber security guidance that covers present and planned uses of software in nuclear plants."

Until then, "the entire cyber security section should be deleted and only a passing reference to the subject retained," the company wrote.

International concern

Last year the United Nations' International Atomic Energy Agency (IAEA) warned of growing international concern about the potential for cyber attacks against nuclear facilities, and said it was finalizing new security guidelines of its own. No successful targeted attacks against plants have been publicly reported, but in 2003 the Slammer worm penetrated a private computer network at Ohio's idled Davis-Besse nuclear plant and disabled a safety monitoring system for nearly five hours. The worm entered the plant network through an interconnected contractor's network, bypassing Davis-Besse's firewall.

The NRC draft advises against such interconnections. It also urges vendors to add additional security to their software development process, as a bulwark against saboteurs writing backdoors into the code, or implanting logic bombs programmed to shut down a safety system at a particular time.

But securing the software from its own developers "would not be practical to implement", according to comments filed by Virginia-based energy company Dominion, one of two plant operators who chimed in on the proposal. "Access of the programmer to the software is a matter of trust."

Dominion also takes exception to NRC's preference against interconnection. "Remote access to safety system data from outside the physical plant is not necessarily a potential vulnerability," the company wrote. "Access to data through one-way or fixed function gateways should be allowed, assuming proper verification of the integrity of the gateway is verified."

Dominion operates the Millstone nuclear plant in Connecticut, and two plants in Virginia.

Nebraska's Omaha Public Power District (OPPD), which operates the Fort Calhoun nuclear plant, took issue with the proposal's emphasis on technological access control solutions. Obliging plant operators to protect systems with a combination of passwords, smart cards and biometrics could create more problems than it solves, the company wrote.

"Requiring additional security features could compromise the integrity of the safety system itself," wrote the company. "It is OPPD's position that a Safety System Security Plan that includes network security and has well-defined roles and responsibilities of the staff organization is more beneficial than adding unnecessary complexity to the safety system."

Though they suggested changes, neither utility opposed the plan entirely. If the measure is approved, adherence to the new guidelines would be strictly voluntary for operators of the 103 nuclear reactors already running in the US.